ffccc382e7d1a080e8f88ac14465ca35ea9c6d4eda84d5c0d87553efd4a527ec

Analysis

max time kernel
147s
max time network
145s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
Size

706KB
MD5

df830eb5080f62a3db751c9d52ba8988
SHA1

35d9240031ad0d1a854ad66990779bd6fc7fb956
SHA256

ffccc382e7d1a080e8f88ac14465ca35ea9c6d4eda84d5c0d87553efd4a527ec
SHA512

8c634f34184ab0c27e9f0d94d529e8e116916714b4213c499af482169198f855d49d3827ae9a29a5c64b8b36bfd2f9a7337ad55dd258a6365ac8b57e04927589
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspjf1UZImVU2YFox9we2a:gpQ/6trYlvYPK+lqD73TeGspaZDW2WGL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1808	ScrBlaze.scr

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\s18273659	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
File created	C:\Windows\ScrBlaze.scr	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScrBlaze.scr

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2736	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
2736	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
1808	ScrBlaze.scr
1808	ScrBlaze.scr

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 1808	2736	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe	31
PID 2736 wrote to memory of 1808	2736	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe	31
PID 2736 wrote to memory of 1808	2736	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe	31
PID 2736 wrote to memory of 1808	2736	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
d5e7550f47e036389490aeeb91a2132b

SHA1
5559c30fe9bd507c52ee8a00cbba5e8db1506cb5

SHA256
84c968fc04baf4262fdb9bdd2ae818d73beafe0d38e69fc907b36e9202e0e336

SHA512
0775787e2d2512954617945a5a6a242539802014b3abde175cc38bf6e42cbf716dd58ecdb9200a4e247cacd625d9b4fe9cc1cc5128988f4ada4bd869152e8653

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_2E1554F9937BF8D3743D83D919742174

Filesize
471B

MD5
889dd76ae1cf8142dd6fa0951da93b92

SHA1
2cd978d0dac080b2dafcb1a4844f89df2d62d4af

SHA256
5f93b38339fd55325d70308316707c849f7200784871dfc03628327bdaee1812

SHA512
4b8dc9e4b7d141708f4203deec7f2f3cc2caeb4508433a79d90a77f80f021a4087eb041ee1672333ea8f36209d48914962848deed7d6091b3402bc6abb281d8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_2F09F384AB04F931E2EF39FD04145E2F

Filesize
471B

MD5
848b5613282a5db0192b8598bc70578b

SHA1
dcc3a332827e1f0c902770051e36bcd1afc67ae3

SHA256
211d5b4509af876058debf19795fdc7588cf349a9fc81f28ab9ec4bb833b0e60

SHA512
049fd7f830345212ac8fda2b1b30721bcf0496a397fb6ab6b1a185694fa04e0cf0957b814b956334ab1491bd1c5884656bba1c4e78fb97297fbd18905fbb65d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
ebda9d4e41e3f490b595b22e7c91ba37

SHA1
2b68a2de03e13c4ef4a2a3ef4cfb78861d75284f

SHA256
1a73d7c3ce91edebb26df07e9015f912b16b92ad107a99d3891a9c089823b986

SHA512
b834a56ee71ddf35d9d23c923fc97ea8bfa19028e76ab6e0a8e73b904942a836bfe5cba57d3b4f51ccde9a74c84ada64d3a52cfd79ef5a804088139b0bc5ad7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
731ca0f66982354c1c4035936bd76217

SHA1
b92d9bb293c74f0289ab2b086c1827642cfdc348

SHA256
4cd2fdb591d5adc8706d9b092790eb76bd72c4a2c6cd160d0d780aecc41bdb4b

SHA512
54987962d56bc7460df986519dc4b97693afd448618dff64c618885013eced4b4d99f82d33ef37a57194227b112f86e3373655e025b78be87ad25a301f2ab503

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_2E1554F9937BF8D3743D83D919742174

Filesize
406B

MD5
4b6ef7f155438e741e95126c0c54f329

SHA1
7c49adb503690fdc98e7f0be40fd6758cad2b47d

SHA256
5666991071c6f457c8d686a7a776f008a4fdfbf8bb2228e9fc9f36c19581e3d7

SHA512
7c53eeaf11aa300efd9053f1bbaa22f2f3b4e722b5dd4a43f4c1e0121baf24871da37c2073041a4285968b0718a54341724199989f22a1a28a491af2ed50092b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
538ddd99a2f2606e8f36b325a31bcfa6

SHA1
87ddce361bcefdd96aec09da4adc3f58657406e4

SHA256
bc629438f8c5df7591516c4ccfcac0b1c2dc493b58a16d501f949457cda6637d

SHA512
72d42cc6692122581e29125a6a69715a625c2117c1de0ca45284002b03916f55bda1b212e5fafabda1cba616a9acd293b6f05bc915d50d0f407aab8e3dd3382c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_2F09F384AB04F931E2EF39FD04145E2F

Filesize
410B

MD5
0f300292747a6890e2a44e4beb6893e1

SHA1
f231365ad213ed3b470cae372e3293621a6994b4

SHA256
d11a480c72e92379872ec5fc33876045f8155089b1bd965ce8f46d7f5e8fcfcf

SHA512
4c003fe6855fdabc8404159e49f59e066b1f11362ede547b04039a927ff547d846b2fd7810ba35676b2a2b517e37b78c1345120ed4ff60534c76a2e94b7106fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4RXRX1VH\css[1].css

Filesize
312B

MD5
2494130e2dd81fb40051261cac87fa92

SHA1
08bf1ea9863ee62a66bf9a75161176caa5a11cec

SHA256
ad6e8562d7a6a701d734b60795921409d5449b1806b88ffb1173e832c6da695b

SHA512
5defafa591cbe2fce7b02dbde7b9ff834fb0e5a3da41807978560c292aad11546045f8689d7de4d583c1635012bbcda48b8f49bf0588abe8ef50480fbb2f7134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4RXRX1VH\firefox[1].png

Filesize
9KB

MD5
7f980569ce347d0d4b8c669944946846

SHA1
80a8187549645547b407f81e468d4db0b6635266

SHA256
39f9942adc112194b8ae13ba1088794b6cb6e83bd05a4ed8ce87b53155d0e2f7

SHA512
17993496f11678c9680978c969accfa33b6ae650ba2b2c3327c45435d187b74e736e1489f625adf7255441baa61b65af2b5640417b38eefd541abff598b793c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\edgium[1].png

Filesize
6KB

MD5
01010c21bdf1fc1d7f859071c4227529

SHA1
cd297bf459f24e417a7bf07800d6cf0e41dd36bc

SHA256
6fb31acdaf443a97183562571d52ce47dd44c1a8dcb4087338d77ea2617b286e

SHA512
8418d5ac3987ee8b6a7491167b0f90d0742e09f12fceb1e305923e60c78628d494fcd0fee64f8a6b5f6884796360e1e3ec1459dc754bbfb874504f9db5b56135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\yt_logo_rgb_light[1].png

Filesize
8KB

MD5
d654f892f287a28026cd4d4df56c29c8

SHA1
98779a55fe32a66ebec8338c838395d265e45013

SHA256
fc6f5d8f32f13d5855840234dc1bff5c91c35318ee2192d99b13eb3572f0bca8

SHA512
3668902aeaf792ad73ba51e0a4caaa520ebc38177791dfac9a9b28026c3bde99e721bf54d626f266a19cfd045a6d2dc8c8e70e53a2c5ee524c6f2736bb0ce409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J7FHNNOW\chrome[1].png

Filesize
6KB

MD5
ac10b50494982bc75d03bd2d94e382f6

SHA1
6c10df97f511816243ba82265c1e345fe40b95e6

SHA256
846a9b551e74f824fd7ace3439a319b0c0803449e8caec9f16e2666e38a80efd

SHA512
b6666b540aef6c9c221fe6da29f3e0d897929f7b6612c27630be4a33ae2f5d593bc7c1ee44166ce9f08c72e8608f57d66dd5763b17fec7c1fb92fc4d5c6dd278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J7FHNNOW\dinosaur[1].png

Filesize
57KB

MD5
bdda3ffd41c3527ad053e4afb8cd9e1e

SHA1
0ad1bb7ce8d8a4dc8ac2a28e1c5155980edfab9b

SHA256
1a9251dc3b3c064cfc5e2b90b6c7dc3c225f7017066db2b77e49dae90a94a399

SHA512
4dc21ef447b54d0e17ccd88db5597171047112ce1f3f228527e6df079ce2a43a463a3a1e4255828b12f802d70a68dbe40b791852134be71c74de97718b2f1d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OX8Z8GR5\css[1].css

Filesize
181B

MD5
f407e7b6e7d9fc9da41d84c225ba6dbf

SHA1
2c26b50f87ee2e0d8c2f345106047e2055a147a7

SHA256
df378280434faf25fbbdaf52d145580a12fffdaa2fe3f45f7e24d4cf8f7a13af

SHA512
cc6ff71ed48e437215cd54ab4b527f01935070aeed4e6650c27c0d304eb80b3e7207c859425bd0f770c091c968e45e704c25bec0009dcb5b513823956f7e8528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OX8Z8GR5\opera[1].png

Filesize
2KB

MD5
5cb98952519cb0dd822d622dbecaef70

SHA1
2849670ba8c4e2130d906a94875b3f99c57d78e1

SHA256
02f95fbdb68f232bffd4f2c0fdd033d6c83b829c610cddccc0b1d43e2274e6a7

SHA512
5f29b7459fbd01e16dbd196e4bcddf109af017cccf31337abe1cec6cc5a84711fc2cd34ad7a35d9432a9d7e42ca23d7f6c9d4315396429d7b8e48b9491696afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8037.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar804A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7KA6AFZG.txt

Filesize
74B

MD5
9c0d9148bb3f1fe41726e7a8011595cd

SHA1
bb8928ffb26b52985ad74173b1bf41c0464adcf2

SHA256
c08e5c39ac11032f0dd43c47083540d061aaf9dbce72cbf4cfb980f6b99c5cdd

SHA512
d496f1f89e7d9846589157730c6044d2de91a72c8888522d91bdc9f01a068c24282eb55e7105b2cffa4dc3bf5a1d2da4d56134610b709ff204145e7be4912fae

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
df830eb5080f62a3db751c9d52ba8988

SHA1
35d9240031ad0d1a854ad66990779bd6fc7fb956

SHA256
ffccc382e7d1a080e8f88ac14465ca35ea9c6d4eda84d5c0d87553efd4a527ec

SHA512
8c634f34184ab0c27e9f0d94d529e8e116916714b4213c499af482169198f855d49d3827ae9a29a5c64b8b36bfd2f9a7337ad55dd258a6365ac8b57e04927589

Download Submit
C:\Windows\s18273659

Filesize
894B

MD5
db43454a4afc3fe19ce08128f50cda36

SHA1
ce582c545bca29c5e5b3065874e43dab451342e5

SHA256
d458868aece535f351ca78c089aca07302eae7953fcf9d1b7dba02c1cb382d35

SHA512
ce395ceb101b4f08e2accd41943e61bbdc671b5d45e2167bf31aff1ad657b385c0cf4b438a159fd70572a161aa7fc0c64b52f68fd57a69a2d0fb96fc4f64dc9b

Download Submit
C:\Windows\s18273659

Filesize
964B

MD5
445a4389c2bd0bfffb96d8c0d2a087b6

SHA1
329520e0e8c9365d1ce6f6488dfa0771aa6f5c27

SHA256
b870e7d52db9615de3eb8b9a94ae7c33896c57c42f8d382da14a091c103d4567

SHA512
b71471dfeca9e5e0ed5f7ae166568729a8a6f61796721be7ea399ee59f0a6f5fd64639f0ca8d55228f50cfac17943b246c55eed5651da33f089a62a5a3bbeb7c

Download Submit
memory/1808-76-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1808-75-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1808-152-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1808-63-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1808-79-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1808-78-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1808-77-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1808-139-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1808-62-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1808-57-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1808-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1808-68-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1808-67-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1808-66-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1808-65-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1808-64-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2736-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2736-58-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download